Add owner-agnostic service tokens

Introduces ServiceKey, a parallel primitive to APIKey for server-to-server auth where the owner is not an authkit user (e.g. an application or tenant row the consumer manages). owner_id has no FK and no RBAC linkage; cascade on owner-delete is the consumer's responsibility. AuthenticateServiceKey returns *ServiceKey directly rather than *Principal since service tokens have no user. Also exports MintOpaqueSecret / HashOpaqueSecret / ParseOpaqueSecret so both API-key and service-key code share one mint/parse implementation instead of duplicating it. Deps.ServiceKeys is required (panics in New if nil) — existing call sites must add ServiceKeys: stores.ServiceKeys. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-26 19:54:26 +00:00 · 2026-04-26 19:54:26 +00:00 · 4942e4dbdc
commit 4942e4dbdc
parent 9aae7b1c12
16 changed files with 664 additions and 24 deletions
--- a/errors.go
+++ b/errors.go
@ -11,6 +11,7 @@ var (
 	ErrTokenReused        = errors.New("authkit: token reuse detected")
 	ErrSessionInvalid     = errors.New("authkit: invalid or expired session")
 	ErrAPIKeyInvalid      = errors.New("authkit: invalid or expired api key")
+	ErrServiceKeyInvalid  = errors.New("authkit: invalid or expired service key")
 	ErrPermissionDenied   = errors.New("authkit: permission denied")
 	ErrRoleNotFound       = errors.New("authkit: role not found")
 	ErrPermissionNotFound = errors.New("authkit: permission not found")